Update June 29
As screenshots of the certificate show, it was not expired. The Comodo
Certificate Revocation List showed that the certificate was revoked less
than 12 hours before it was sent, which means it was stolen and ready
to be used while it was still valid. Perhaps it was used while still
valid for a while before I got it. Digitally signed messages are used to gain trust of the recipient. Contagio has examples of stolen valid and invalid certificates used
to signed malicious binaries in order to bypass white-listing
applications and other filters. Speaking of CRL, here are two articles
related to web certificates.

Tuesday, June 28, 2011

-- This message came from a compromised account of mail.ppboces.org - mail server for Pikes Peak Board of Cooperative Educational Services in Colorado Springs, Co.It has two attachments exploiting CVE-2011-0611.
--The payload is Trojan Taidoor / Rubinurd, which is a frequently used trojan for targeted attacks. (see more with Taidoor here)For attribution reasons, I would like to know if this is a private custom trojan or something commercial and thus used by more than one group of attackers. If you happen to know, let me know. The PDF and the payload have Chinese language in the file metadata and code.
-- The CC IP addresses are 62.38.148.117 ( 443 80) -Hellas On Line S.A., Greece, Attiki and 64.167.26.66 (80) - SBC Internet Services, Costa Mesa, CA

Sunday, June 26, 2011

Not sure if noticeable but there are a lot of tweaks, including
addition of a mobile template. It it work in progress, I will tweak it
more laterUpdate: Changed to fixed width to prevent columns from running over
each other

Friday, June 24, 2011

Exploit Information

More about RTLO is here Right to Left Override unicode can be used for multiple spoofing cases by Jordi Chancel:"RTLO is a technique exploiting the RIGHT TO LEFT OVERRIDE unicode and than it will always cause the directional reverse reading order of others characters followed it including the extension-type of malicious file! This UNICODE of which we will simplify name by [RTLO] doesnt can see owing to the fact that its characters and its place are invisible. Use RTLO for reverse the direction of reading of the file names including the extension of concerned file while keeping same the types of execution.Example: To use a syntax like “SexyPictureGirlAl[RTLO]gpj.exe” be read “SexyPictureGirlAlexe.jpg”

Wednesday, June 15, 2011

These posts all contain the same trojan but they were created not the sake of samples. They are to show how compromised USA servers are used for a stream of phishing emails. The first was noticed on May 31, 2011 and the last was today - June 13, 2011.

mail.louisvilleheartsurgery.com66.147.51.202 appears to be a misconfigured mail server allowing relay but only forensic examination of the server can provide more details. If you are a patient and are concerned about your records, please note that the mail server is not the same as a database or a data server and patient records are most likely on a different server and not affected. Also, these attackers are not after the louisvilleheartsurgery.com data, they usually use the mail service to reach their targets elsewhere. The phishing campaign, judging by the targets, topics, and trojans used, is targeting researchers and experts working on Chinese and Taiwan issues.

General File Information

The trojaned documents were sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting.
The server must be misconfigured or compromised and is being actively
used as a relay for phishing.

General File Information

The trojaned documents were sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting.
The server must be misconfigured or compromised and is being actively
used as a relay for phishing.(I have other examples of phish mail sent
via that server and I will post them as soon as I can)

General File Information

The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting.
The server must be misconfigured or compromised and is being actively
used as a relay for phishing.(I have other examples of phish mail sent
via that server - pretty much everything is the same - note additional C2 ip in this post)

General File Information

The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server and I will post them as soon as I can)

Sunday, June 5, 2011

There has been a lot of speculation recently on how much sensitive data a hacker can find on personal email accounts, considering it is against the rules in most places to use personal accounts for work . Although there are strict rules for classified messages and documents, the intruders are often satisfied with just sensitive or just informational messages for building the picture they need. While I don't know how strict the rules are at the White House, the following behavior is common for at least some US Government offices and for many companies. This information is from my own knowledge, as well as accounts of people working for the US Government, military, as well as Fortune 500 companies, non-government research institutions, and other places.

I am sure you will find none of these scenarios surprising, they all are very common.

SIX WAYS SENSITIVE DATA FINDS ITS WAY TO PERSONAL EMAIL ACCOUNTS
1. Google Apps accounts are often created in addition to corporate/work mail to alllow easy document sharing between different companies - for one project, or as a permanent setup
2. Employees create autoforwarding of all work emails to their personal accounts for easy reading on personal mobile devices (not everyone has work-issued mobile device)
3. Employees, regardless of their employer, need to communicate with people who work elsewhere. They cannot control whether their recipients use free webmail or what they do with their mail - and their recipients can be targeted
4. Employees often trust personal webmail more than their work accounts for privacy reasons. They know their work mail is heavily monitored, archived, filtered and they sometimes need to say something to each other "off the record". This may include work related topics, their supervisors, etc.
5. Employees, especially when traveling, often manually forward selected messages from work to personal accounts. This is because it is easier to check personal accounts rather than logging in with smart cards, RSA keys, VPN just to refer to a few things they may need for work during their travel or work at home period.
6. Employees may forward mail to personal accounts before leaving their job - some places allow auto-forward and in others you can do it manually. People forward contacts or important messages that they may need after they start a new job

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.